Linux Kernel Programming
Duration: 5 days

Back to course list Home
Synopsis Understand the inner workings of the Linux Kernel and its various subsystems, from an architectural perspective, as well as through driver writing. The course explains the components, and focuses on them using a sample device driver coded and expanded by the students. The students will become familiar with the Linux source code of the latest kernels (3.14 at the time of writing), with thorough review of the sources, as well as detailed discussions of the various features introduced in each minor Kernel version.
Target Audience Device Driver developers, Security professionals interested in malware and rootkits, and/or anyone interested in obtaining deeper insights into the workings of the Linux Kernel
  • Describe the functions and architecture of the Linux Kernel
  • Create a fully functional character device driver
  • Explain the various Kernel subsystems, including the task scheduler, and virtual memory manager
  • Explain, interface with and hook Kernel system calls
Exercises This course allocates plenty of time for hands-on practice.
The hands-on exercises include:
  • Creating a full fledged Linux character driver
  • Manipulating Kernel structures like process control blocks (task_struct), event notification chains and others
1. Introduction
4 hours
Introduction to the Linux architecture. We discuss the design and implementation of the Linux Kernel and its various subsystems, at a modular "black box" level, without going into the source code level (yet).
  • Linux Kernel features
    • Version differences - 2.6 through 3.14
      • User-Mode and Kernel-Mode Architecture
        • The Linux Task Scheduler (thread manager)
          • The Linux I/O Schedulers:
            • Elevator/NoOp
              • DeadLine
                • Anticipatory
                  • Complete Fair Queueing (CFQ)
                  • Devices in Linux
                    2. Kernel Related Commands
                    1 hours
                    A discussion of the various user-mode tools available for Kernel-related debugging tasks, including:
                    • The /proc filesystem
                      • The /sys filesystem
                        • dmesg
                          • strace and ltrace
                            • The ModUtils (lsmod, insmod, modprobe/depmod, rmmod..
                              3. The Kernel Sources
                              1 hours
                              The Linux Kernel comes in the form of a mammoth tarball of gigantic (>250MB) proportions. In this module, we discuss how to navigate the sources using the Linux Cross Reference (LXR) tools, as well as how to compile and cross-compile the kernel.
                              • The Kernel source
                                • Navigating the source tree
                                  • Compiling the Kernel
                                    Day 2
                                    4. The Kernel Boot Process
                                    3 hours
                                    The best way to get to know the kernel sources is to follow the Kernel boot, step by step. In this module, we do exactly that, starting with the boot loader, onward to the Kernel startup, and finally the user mode phase of init.
                                    • The PC Boot process - BIOS and EFI
                                      • The Boot Loader
                                        • GRUB
                                          • EFI
                                          • The Kernel boot phase
                                            • Init and user mode startup
                                              5. Kernel Survival Guide
                                              4 hours
                                              Basic issues with Kernel programming, the do's and do-not's of Kernel programming
                                              • Kernel Modules
                                                • Portability issues across architectures
                                                  • Linked Lists in the Kernel
                                                    • Synchronization primitives
                                                      • Atomic operations
                                                        • Spinlocks
                                                          • R/W Locks
                                                            • Sempahores
                                                              • Completions
                                                              • Kernel notification chains
                                                                • printk
                                                                  • The /Proc Filesystem
                                                                    • The seq_file interface
                                                                      Day 3
                                                                      6. Kernel subsystems
                                                                      4 hours
                                                                      An in-depth discussion of two of the most important subsystems in the Kernel - System calls, and the Task Scheduler.
                                                                      • System Calls - In depth:
                                                                        • System call modes - Interrupt gates vs. SYSENTER/SYSCALL
                                                                          • Adding system calls to the Kernel
                                                                            • Calling system calls from Kernel Mode
                                                                              • System call tracing using API
                                                                              • Processes and threads - in depth
                                                                                • Creating processes - the clone() system call
                                                                                  • Maintaining processes/threads - the task_list
                                                                                    • The Process/Thread control block - struct task_struct
                                                                                      • Processor run queues and migration
                                                                                        • Priorities & scheduling
                                                                                          7. Creating a basic device driver
                                                                                          2 hours
                                                                                          Creating a basic character device driver, including:
                                                                                          • System calls from the driver's perspective
                                                                                            • Device Major & Minor numbers
                                                                                              • register_chrdev
                                                                                                • udevd and hotplug
                                                                                                  • Interfacing with sysfs (/sys directory)
                                                                                                    Day 4
                                                                                                    8. Advanced Topics
                                                                                                    4 hours
                                                                                                    Focusing on the Kernel time-keeping mechanisms and virtual memory management, we discuss:
                                                                                                    • The Kernel internal timer - Jiffies
                                                                                                      • Tickless Kernels
                                                                                                        • Timer objects
                                                                                                          • Delays
                                                                                                            • Wait Queues
                                                                                                              • mdelay/udelay/ndelay
                                                                                                              • Virtual Memory
                                                                                                                • The Kernel memory map
                                                                                                                  • Virtual Memory:
                                                                                                                    • kmalloc/kfree
                                                                                                                      • The Slab allocator
                                                                                                                        • The cache allocator
                                                                                                                          • The buddy allocator
                                                                                                                          9. Driver, Interrupted
                                                                                                                          3 hours
                                                                                                                          Developing a device driver and writing in Kernel mode introduces an often overlooked aspect of programming - Interrupt handling. Interrupts, generated by devicet often the most inopportune and unpredictable times, are an issue to be reckoned with, and involve considerable programming constraints.
                                                                                                                          • IRQs and interrupts
                                                                                                                            • Requesting an interrupt (request_irq)
                                                                                                                              • Interrupt handlers and entropy
                                                                                                                                • Bottom Halves:
                                                                                                                                  • Tasklets
                                                                                                                                    • SoftIRQs
                                                                                                                                      • work queues
                                                                                                                                      Day 5
                                                                                                                                      10. Kernel Network Architecture
                                                                                                                                      2 hours
                                                                                                                                      An introduction to the Kernel Network architecture, focusing on network devices (=interfaces), with a brief overview of the TCP/IP Stack at the socket level.
                                                                                                                                      (Note: This introductory module serves only as a basic overview - The Kernel networking subsystems are discussed in far more detail in their own dedicated course - Linux Networking).
                                                                                                                                      • Linux interfaces
                                                                                                                                        • struct net_dev
                                                                                                                                          • Building a simple Ethernet interface
                                                                                                                                            • inet_proto and layer IV protocols
                                                                                                                                              • Hooking TCP/IP socket operations
                                                                                                                                                • NetFilter/IPTables - briefly
                                                                                                                                                  11. Linux Kernel Security
                                                                                                                                                  2 hours
                                                                                                                                                  A detailed discussion of the Linux Kernel security features, including:
                                                                                                                                                  • The Linux Capabilities model
                                                                                                                                                    • Linux Security Modules (LSM) and SELinux
                                                                                                                                                      • Kernel buffer overflow protection - ExecShield and randomization